Which solution meets this requirement with the LEAST operational overhead?
Store the password in AWS Secrets Manager. Enable automatic rotation on the secret.
Store the password in AWS Systems Manager Parameter Store. Enable automatic rotation on the parameter.
Store the password in AWS Systems Manager Parameter Store. Write an AWS Lambda function that rotates the password.
Store the password in AWS Key Management Service (AWS KMS). Enable automatic rotation on the customer master key (CMK).
Explanations:
AWS Secrets Manager is designed for managing secrets such as database credentials and supports automatic rotation out of the box, which minimizes operational overhead. This option allows for seamless integration with RDS and automates the process of password rotation without requiring additional development effort.
AWS Systems Manager Parameter Store does not natively support automatic rotation of secrets like AWS Secrets Manager does. While parameters can be stored securely, manual intervention or additional development (such as using Lambda) would be required to rotate the password, increasing operational overhead.
Although this option could technically achieve the requirement by using a Lambda function to rotate the password, it involves more operational overhead. Writing and maintaining a Lambda function for password rotation requires additional management and monitoring, making it less optimal than using Secrets Manager’s built-in functionality.
AWS Key Management Service (AWS KMS) is primarily used for managing encryption keys, not for storing or rotating database passwords. Enabling automatic rotation on a customer master key (CMK) does not pertain to password management for RDS, so this option does not meet the requirement.
In my experience, the answer is:
Store the password in AWS Secrets Manager. Enable automatic rotation on the secret.